202691 – crash on mount crafted image

Bug 202691 - crash on mount crafted image

Summary: crash on mount crafted image

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-27 04:24 UTC by Jungyeon
Modified:	2019-05-21 12:13 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.0-rc8
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
filesystem image (166.93 KB, application/zip) 2019-02-27 04:24 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-02-27 04:24:16 UTC

Created attachment 281371 [details]
filesystem image

When I try mount this attached image, btrfs crashes.
Messages & reprodueces are as follows.

---
mkdir test
mount -t btrfs 1.img mnt

[  113.906303] BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
[  113.908306] #PF error: [normal kernel read fault]
[  113.909502] PGD 800000022b2bd067 P4D 800000022b2bd067 PUD 22b2bc067 PMD 0 
[  113.911242] Oops: 0000 [#1] SMP PTI
[  113.912136] CPU: 0 PID: 1106 Comm: mount Not tainted 5.0.0-rc8+ #9
[  113.913682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  113.915933] RIP: 0010:btrfs_verify_dev_extents+0x2a5/0x5a0
[  113.917317] Code: 85 c0 0f 84 95 02 00 00 4c 8b 88 98 00 00 00 4d 85 c9 0f 85 9b 00 00 00 48 8b 45 98 48 8b 80 68 cb 00 00 48 8b 90 c8 00 00 00 <48> 8b 82 98 00 00 00 48 81 c2 98 00 00 00 48 39 d0 74 1c 48 39 98
[  113.921963] RSP: 0018:ffffb569411479c8 EFLAGS: 00010246
[  113.923297] RAX: ffffa0643565ac00 RBX: 0000000000000001 RCX: 0000000000000000
[  113.925091] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa0643565ac00
[  113.926878] RBP: ffffb56941147a60 R08: 0000000005800000 R09: 0000000000000000
[  113.928693] R10: 0000000000000000 R11: 0000000000000001 R12: ffffa0642fcdac40
[  113.930466] R13: 0000000000000000 R14: 0000000000100000 R15: ffffa0642b8b2510
[  113.932250] FS:  00007ff1fb7d2840(0000) GS:ffffa06437a00000(0000) knlGS:0000000000000000
[  113.934264] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  113.935721] CR2: 0000000000000098 CR3: 0000000231d46004 CR4: 00000000000206f0
[  113.937509] Call Trace:
[  113.938153]  open_ctree+0x160d/0x2149
[  113.939089]  btrfs_mount_root+0x5b2/0x680
[  113.940121]  ? btrfs_mount_root+0x5b2/0x680
[  113.941181]  ? pcpu_next_unpop+0x3c/0x50
[  113.942175]  ? cpumask_next+0x1b/0x20
[  113.943106]  ? pcpu_alloc+0x2f1/0x650
[  113.944117]  mount_fs+0x51/0x170
[  113.944941]  ? btrfs_decode_error+0x30/0x30
[  113.945999]  ? mount_fs+0x51/0x170
[  113.946871]  vfs_kern_mount+0x67/0x120
[  113.947838]  btrfs_mount+0x173/0x8cd
[  113.948743]  ? pcpu_block_update_hint_alloc+0x1bb/0x1e0
[  113.950054]  ? pcpu_next_unpop+0x3c/0x50
[  113.951042]  ? cpumask_next+0x1b/0x20
[  113.951987]  ? pcpu_alloc+0x2f1/0x650
[  113.952919]  mount_fs+0x51/0x170
[  113.953741]  ? mount_fs+0x51/0x170
[  113.954610]  vfs_kern_mount+0x67/0x120
[  113.955577]  do_mount+0x208/0xd20
[  113.956430]  ? __check_object_size+0x111/0x1b0
[  113.957555]  ? memdup_user+0x4f/0x70
[  113.958467]  ksys_mount+0x83/0xd0
[  113.959329]  __x64_sys_mount+0x25/0x30
[  113.960281]  do_syscall_64+0x5a/0x110
[  113.961214]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  113.962482] RIP: 0033:0x7ff1fb0b1b9a
[  113.963404] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[  113.968050] RSP: 002b:00007ffc6b23ac78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  113.969936] RAX: ffffffffffffffda RBX: 000000000243d030 RCX: 00007ff1fb0b1b9a
[  113.971741] RDX: 000000000243d210 RSI: 000000000243ff40 RDI: 000000000243d230
[  113.973536] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014
[  113.975340] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 000000000243d230
[  113.977133] R13: 000000000243d210 R14: 0000000000000000 R15: 0000000000000003
[  113.978924] Modules linked in:
[  113.979723] CR2: 0000000000000098
[  113.980592] ---[ end trace ccdbf4eb4af71642 ]---
[  113.981794] RIP: 0010:btrfs_verify_dev_extents+0x2a5/0x5a0
[  113.983205] Code: 85 c0 0f 84 95 02 00 00 4c 8b 88 98 00 00 00 4d 85 c9 0f 85 9b 00 00 00 48 8b 45 98 48 8b 80 68 cb 00 00 48 8b 90 c8 00 00 00 <48> 8b 82 98 00 00 00 48 81 c2 98 00 00 00 48 39 d0 74 1c 48 39 98
[  113.987908] RSP: 0018:ffffb569411479c8 EFLAGS: 00010246
[  113.989253] RAX: ffffa0643565ac00 RBX: 0000000000000001 RCX: 0000000000000000
[  113.991063] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa0643565ac00
[  113.992902] RBP: ffffb56941147a60 R08: 0000000005800000 R09: 0000000000000000
[  113.994705] R10: 0000000000000000 R11: 0000000000000001 R12: ffffa0642fcdac40
[  113.996521] R13: 0000000000000000 R14: 0000000000100000 R15: ffffa0642b8b2510
[  113.998335] FS:  00007ff1fb7d2840(0000) GS:ffffa06437a00000(0000) knlGS:0000000000000000
[  114.000387] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  114.001857] CR2: 0000000000000098 CR3: 0000000231d46004 CR4: 00000000000206f0

Comment 1 David Sterba 2019-05-21 12:13:37 UTC

Fixed by ab4ba2e133463c702 "btrfs: tree-checker: Verify dev item", now in 5.2-rc.

Note You need to log in before you can comment on or make changes to this bug.